+++ /dev/null
-From c02b50e90be9f41d6802049a1a08246e9eb1a22c Mon Sep 17 00:00:00 2001
-From: Andrea Adami <andrea.adami@gmail.com>
-Date: Tue, 8 Apr 2014 14:53:44 +0200
-Subject: ARM: pxa: hx4700.h: include "irqs.h" for PXA_NR_BUILTIN_GPIO
-
-From: Andrea Adami <andrea.adami@gmail.com>
-
-commit c02b50e90be9f41d6802049a1a08246e9eb1a22c upstream.
-
-hx4700 needs the same fix as in
-9705e74671f0e4f994d86b00cecf441917c64a66
-"ARM: pxa: fix various compilation problems"
-
-Fix build errors. Initial one is:
-/linux/arch/arm/mach-pxa/include/mach/hx4700.h:18:32: error:
- 'PXA_NR_BUILTIN_GPIO' undeclared here (not in a function)
-| #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO
-
-Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/arm/mach-pxa/include/mach/hx4700.h | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/arch/arm/mach-pxa/include/mach/hx4700.h
-+++ b/arch/arm/mach-pxa/include/mach/hx4700.h
-@@ -14,6 +14,7 @@
-
- #include <linux/gpio.h>
- #include <linux/mfd/asic3.h>
-+#include "irqs.h" /* PXA_NR_BUILTIN_GPIO */
-
- #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO
- #define HX4700_EGPIO_BASE (HX4700_ASIC3_GPIO_BASE + ASIC3_NUM_GPIOS)
--- /dev/null
+From 4adb6ab3e0fa71363a5ef229544b2d17de6600d7 Mon Sep 17 00:00:00 2001
+From: Kazuya Mio <k-mio@sx.jp.nec.com>
+Date: Mon, 7 Apr 2014 10:53:28 -0400
+Subject: ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS
+
+From: Kazuya Mio <k-mio@sx.jp.nec.com>
+
+commit 4adb6ab3e0fa71363a5ef229544b2d17de6600d7 upstream.
+
+When we try to get 2^32-1 block of the file which has the extent
+(ee_block=2^32-2, ee_len=1) with FIBMAP ioctl, it causes BUG_ON
+in ext4_ext_put_gap_in_cache().
+
+To avoid the problem, ext4_map_blocks() needs to check the file logical block
+number. ext4_ext_put_gap_in_cache() called via ext4_map_blocks() cannot
+handle 2^32-1 because the maximum file logical block number is 2^32-2.
+
+Note that ext4_ind_map_blocks() returns -EIO when the block number is invalid.
+So ext4_map_blocks() should also return the same errno.
+
+Signed-off-by: Kazuya Mio <k-mio@sx.jp.nec.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -574,6 +574,10 @@ int ext4_map_blocks(handle_t *handle, st
+ "logical block %lu\n", inode->i_ino, flags, map->m_len,
+ (unsigned long) map->m_lblk);
+
++ /* We can handle the block number less than EXT_MAX_BLOCKS */
++ if (unlikely(map->m_lblk >= EXT_MAX_BLOCKS))
++ return -EIO;
++
+ /* Lookup extent status tree firstly */
+ if (ext4_es_lookup_extent(inode, map->m_lblk, &es)) {
+ if (ext4_es_is_written(&es) || ext4_es_is_unwritten(&es)) {
--- /dev/null
+From ec4cb1aa2b7bae18dd8164f2e9c7c51abcf61280 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 7 Apr 2014 10:54:21 -0400
+Subject: ext4: fix jbd2 warning under heavy xattr load
+
+From: Jan Kara <jack@suse.cz>
+
+commit ec4cb1aa2b7bae18dd8164f2e9c7c51abcf61280 upstream.
+
+When heavily exercising xattr code the assertion that
+jbd2_journal_dirty_metadata() shouldn't return error was triggered:
+
+WARNING: at /srv/autobuild-ceph/gitbuilder.git/build/fs/jbd2/transaction.c:1237
+jbd2_journal_dirty_metadata+0x1ba/0x260()
+
+CPU: 0 PID: 8877 Comm: ceph-osd Tainted: G W 3.10.0-ceph-00049-g68d04c9 #1
+Hardware name: Dell Inc. PowerEdge R410/01V648, BIOS 1.6.3 02/07/2011
+ ffffffff81a1d3c8 ffff880214469928 ffffffff816311b0 ffff880214469968
+ ffffffff8103fae0 ffff880214469958 ffff880170a9dc30 ffff8802240fbe80
+ 0000000000000000 ffff88020b366000 ffff8802256e7510 ffff880214469978
+Call Trace:
+ [<ffffffff816311b0>] dump_stack+0x19/0x1b
+ [<ffffffff8103fae0>] warn_slowpath_common+0x70/0xa0
+ [<ffffffff8103fb2a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff81267c2a>] jbd2_journal_dirty_metadata+0x1ba/0x260
+ [<ffffffff81245093>] __ext4_handle_dirty_metadata+0xa3/0x140
+ [<ffffffff812561f3>] ext4_xattr_release_block+0x103/0x1f0
+ [<ffffffff81256680>] ext4_xattr_block_set+0x1e0/0x910
+ [<ffffffff8125795b>] ext4_xattr_set_handle+0x38b/0x4a0
+ [<ffffffff810a319d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff81257b32>] ext4_xattr_set+0xc2/0x140
+ [<ffffffff81258547>] ext4_xattr_user_set+0x47/0x50
+ [<ffffffff811935ce>] generic_setxattr+0x6e/0x90
+ [<ffffffff81193ecb>] __vfs_setxattr_noperm+0x7b/0x1c0
+ [<ffffffff811940d4>] vfs_setxattr+0xc4/0xd0
+ [<ffffffff8119421e>] setxattr+0x13e/0x1e0
+ [<ffffffff811719c7>] ? __sb_start_write+0xe7/0x1b0
+ [<ffffffff8118f2e8>] ? mnt_want_write_file+0x28/0x60
+ [<ffffffff8118c65c>] ? fget_light+0x3c/0x130
+ [<ffffffff8118f2e8>] ? mnt_want_write_file+0x28/0x60
+ [<ffffffff8118f1f8>] ? __mnt_want_write+0x58/0x70
+ [<ffffffff811946be>] SyS_fsetxattr+0xbe/0x100
+ [<ffffffff816407c2>] system_call_fastpath+0x16/0x1b
+
+The reason for the warning is that buffer_head passed into
+jbd2_journal_dirty_metadata() didn't have journal_head attached. This is
+caused by the following race of two ext4_xattr_release_block() calls:
+
+CPU1 CPU2
+ext4_xattr_release_block() ext4_xattr_release_block()
+lock_buffer(bh);
+/* False */
+if (BHDR(bh)->h_refcount == cpu_to_le32(1))
+} else {
+ le32_add_cpu(&BHDR(bh)->h_refcount, -1);
+ unlock_buffer(bh);
+ lock_buffer(bh);
+ /* True */
+ if (BHDR(bh)->h_refcount == cpu_to_le32(1))
+ get_bh(bh);
+ ext4_free_blocks()
+ ...
+ jbd2_journal_forget()
+ jbd2_journal_unfile_buffer()
+ -> JH is gone
+ error = ext4_handle_dirty_xattr_block(handle, inode, bh);
+ -> triggers the warning
+
+We fix the problem by moving ext4_handle_dirty_xattr_block() under the
+buffer lock. Sadly this cannot be done in nojournal mode as that
+function can call sync_dirty_buffer() which would deadlock. Luckily in
+nojournal mode the race is harmless (we only dirty already freed buffer)
+and thus for nojournal mode we leave the dirtying outside of the buffer
+lock.
+
+Reported-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -517,8 +517,8 @@ static void ext4_xattr_update_super_bloc
+ }
+
+ /*
+- * Release the xattr block BH: If the reference count is > 1, decrement
+- * it; otherwise free the block.
++ * Release the xattr block BH: If the reference count is > 1, decrement it;
++ * otherwise free the block.
+ */
+ static void
+ ext4_xattr_release_block(handle_t *handle, struct inode *inode,
+@@ -538,16 +538,31 @@ ext4_xattr_release_block(handle_t *handl
+ if (ce)
+ mb_cache_entry_free(ce);
+ get_bh(bh);
++ unlock_buffer(bh);
+ ext4_free_blocks(handle, inode, bh, 0, 1,
+ EXT4_FREE_BLOCKS_METADATA |
+ EXT4_FREE_BLOCKS_FORGET);
+- unlock_buffer(bh);
+ } else {
+ le32_add_cpu(&BHDR(bh)->h_refcount, -1);
+ if (ce)
+ mb_cache_entry_release(ce);
++ /*
++ * Beware of this ugliness: Releasing of xattr block references
++ * from different inodes can race and so we have to protect
++ * from a race where someone else frees the block (and releases
++ * its journal_head) before we are done dirtying the buffer. In
++ * nojournal mode this race is harmless and we actually cannot
++ * call ext4_handle_dirty_xattr_block() with locked buffer as
++ * that function can call sync_dirty_buffer() so for that case
++ * we handle the dirtying after unlocking the buffer.
++ */
++ if (ext4_handle_valid(handle))
++ error = ext4_handle_dirty_xattr_block(handle, inode,
++ bh);
+ unlock_buffer(bh);
+- error = ext4_handle_dirty_xattr_block(handle, inode, bh);
++ if (!ext4_handle_valid(handle))
++ error = ext4_handle_dirty_xattr_block(handle, inode,
++ bh);
+ if (IS_SYNC(inode))
+ ext4_handle_sync(handle);
+ dquot_free_block(inode, EXT4_C2B(EXT4_SB(inode->i_sb), 1));
--- /dev/null
+From 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 12 Apr 2014 12:45:25 -0400
+Subject: ext4: use i_size_read in ext4_unaligned_aio()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream.
+
+We haven't taken i_mutex yet, so we need to use i_size_read().
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -82,7 +82,7 @@ ext4_unaligned_aio(struct inode *inode,
+ size_t count = iov_length(iov, nr_segs);
+ loff_t final_size = pos + count;
+
+- if (pos >= inode->i_size)
++ if (pos >= i_size_read(inode))
+ return 0;
+
+ if ((pos & blockmask) || (final_size & blockmask))
--- /dev/null
+From 34aa8dac482f1358d59110d5e3a12f4351f6acaa Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 3 Apr 2014 14:46:49 -0700
+Subject: ocfs2: dlm: fix lock migration crash
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream.
+
+This issue was introduced by commit 800deef3f6f8 ("ocfs2: use
+list_for_each_entry where benefical") in 2007 where it replaced
+list_for_each with list_for_each_entry. The variable "lock" will point
+to invalid data if "tmpq" list is empty and a panic will be triggered
+due to this. Sunil advised reverting it back, but the old version was
+also not right. At the end of the outer for loop, that
+list_for_each_entry will also set "lock" to an invalid data, then in the
+next loop, if the "tmpq" list is empty, "lock" will be an stale invalid
+data and cause the panic. So reverting the list_for_each back and reset
+"lock" to NULL to fix this issue.
+
+Another concern is that this seemes can not happen because the "tmpq"
+list should not be empty. Let me describe how.
+
+old lock resource owner(node 1): migratation target(node 2):
+image there's lockres with a EX lock from node 2 in
+granted list, a NR lock from node x with convert_type
+EX in converting list.
+dlm_empty_lockres() {
+ dlm_pick_migration_target() {
+ pick node 2 as target as its lock is the first one
+ in granted list.
+ }
+ dlm_migrate_lockres() {
+ dlm_mark_lockres_migrating() {
+ res->state |= DLM_LOCK_RES_BLOCK_DIRTY;
+ wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res));
+ //after the above code, we can not dirty lockres any more,
+ // so dlm_thread shuffle list will not run
+ downconvert lock from EX to NR
+ upconvert lock from NR to EX
+<<< migration may schedule out here, then
+<<< node 2 send down convert request to convert type from EX to
+<<< NR, then send up convert request to convert type from NR to
+<<< EX, at this time, lockres granted list is empty, and two locks
+<<< in the converting list, node x up convert lock followed by
+<<< node 2 up convert lock.
+
+ // will set lockres RES_MIGRATING flag, the following
+ // lock/unlock can not run
+ dlm_lockres_release_ast(dlm, res);
+ }
+
+ dlm_send_one_lockres()
+ dlm_process_recovery_data()
+ for (i=0; i<mres->num_locks; i++)
+ if (ml->node == dlm->node_num)
+ for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) {
+ list_for_each_entry(lock, tmpq, list)
+ if (lock) break; <<< lock is invalid as grant list is empty.
+ }
+ if (lock->ml.node != ml->node)
+ BUG() >>> crash here
+ }
+
+I see the above locks status from a vmcore of our internal bug.
+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Wengang Wang <wen.gang.wang@oracle.com>
+Cc: Sunil Mushran <sunil.mushran@gmail.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlm/dlmrecovery.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmrecovery.c
++++ b/fs/ocfs2/dlm/dlmrecovery.c
+@@ -1751,13 +1751,13 @@ static int dlm_process_recovery_data(str
+ struct dlm_migratable_lockres *mres)
+ {
+ struct dlm_migratable_lock *ml;
+- struct list_head *queue;
++ struct list_head *queue, *iter;
+ struct list_head *tmpq = NULL;
+ struct dlm_lock *newlock = NULL;
+ struct dlm_lockstatus *lksb = NULL;
+ int ret = 0;
+ int i, j, bad;
+- struct dlm_lock *lock = NULL;
++ struct dlm_lock *lock;
+ u8 from = O2NM_MAX_NODES;
+ unsigned int added = 0;
+ __be64 c;
+@@ -1792,14 +1792,16 @@ static int dlm_process_recovery_data(str
+ /* MIGRATION ONLY! */
+ BUG_ON(!(mres->flags & DLM_MRES_MIGRATION));
+
++ lock = NULL;
+ spin_lock(&res->spinlock);
+ for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) {
+ tmpq = dlm_list_idx_to_ptr(res, j);
+- list_for_each_entry(lock, tmpq, list) {
+- if (lock->ml.cookie != ml->cookie)
+- lock = NULL;
+- else
++ list_for_each(iter, tmpq) {
++ lock = list_entry(iter,
++ struct dlm_lock, list);
++ if (lock->ml.cookie == ml->cookie)
+ break;
++ lock = NULL;
+ }
+ if (lock)
+ break;
--- /dev/null
+From ded2cf71419b9353060e633b59e446c42a6a2a09 Mon Sep 17 00:00:00 2001
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Thu, 3 Apr 2014 14:46:51 -0700
+Subject: ocfs2: dlm: fix recovery hung
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream.
+
+There is a race window in dlm_do_recovery() between dlm_remaster_locks()
+and dlm_reset_recovery() when the recovery master nearly finish the
+recovery process for a dead node. After the master sends FINALIZE_RECO
+message in dlm_remaster_locks(), another node may become the recovery
+master for another dead node, and then send the BEGIN_RECO message to
+all the nodes included the old master, in the handler of this message
+dlm_begin_reco_handler() of old master, dlm->reco.dead_node and
+dlm->reco.new_master will be set to the second dead node and the new
+master, then in dlm_reset_recovery(), these two variables will be reset
+to default value. This will cause new recovery master can not finish
+the recovery process and hung, at last the whole cluster will hung for
+recovery.
+
+old recovery master: new recovery master:
+dlm_remaster_locks()
+ become recovery master for
+ another dead node.
+ dlm_send_begin_reco_message()
+dlm_begin_reco_handler()
+{
+ if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) {
+ return -EAGAIN;
+ }
+ dlm_set_reco_master(dlm, br->node_idx);
+ dlm_set_reco_dead_node(dlm, br->dead_node);
+}
+dlm_reset_recovery()
+{
+ dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM);
+ dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM);
+}
+ will hang in dlm_remaster_locks() for
+ request dlm locks info
+
+Before send FINALIZE_RECO message, recovery master should set
+DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done,
+this can break the race windows as the BEGIN_RECO messages will not be
+handled before DLM_RECO_STATE_FINALIZE flag is cleared.
+
+A similar race may happen between new recovery master and normal node
+which is in dlm_finalize_reco_handler(), also fix it.
+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Reviewed-by: Wengang Wang <wen.gang.wang@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlm/dlmrecovery.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmrecovery.c
++++ b/fs/ocfs2/dlm/dlmrecovery.c
+@@ -540,7 +540,10 @@ master_here:
+ /* success! see if any other nodes need recovery */
+ mlog(0, "DONE mastering recovery of %s:%u here(this=%u)!\n",
+ dlm->name, dlm->reco.dead_node, dlm->node_num);
+- dlm_reset_recovery(dlm);
++ spin_lock(&dlm->spinlock);
++ __dlm_reset_recovery(dlm);
++ dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE;
++ spin_unlock(&dlm->spinlock);
+ }
+ dlm_end_recovery(dlm);
+
+@@ -698,6 +701,14 @@ static int dlm_remaster_locks(struct dlm
+ if (all_nodes_done) {
+ int ret;
+
++ /* Set this flag on recovery master to avoid
++ * a new recovery for another dead node start
++ * before the recovery is not done. That may
++ * cause recovery hung.*/
++ spin_lock(&dlm->spinlock);
++ dlm->reco.state |= DLM_RECO_STATE_FINALIZE;
++ spin_unlock(&dlm->spinlock);
++
+ /* all nodes are now in DLM_RECO_NODE_DATA_DONE state
+ * just send a finalize message to everyone and
+ * clean up */
+@@ -2869,8 +2880,8 @@ int dlm_finalize_reco_handler(struct o2n
+ BUG();
+ }
+ dlm->reco.state &= ~DLM_RECO_STATE_FINALIZE;
++ __dlm_reset_recovery(dlm);
+ spin_unlock(&dlm->spinlock);
+- dlm_reset_recovery(dlm);
+ dlm_kick_recovery_thread(dlm);
+ break;
+ default:
--- /dev/null
+From f7cf4f5bfe073ad792ab49c04f247626b3e38db6 Mon Sep 17 00:00:00 2001
+From: alex chen <alex.chen@huawei.com>
+Date: Thu, 3 Apr 2014 14:47:05 -0700
+Subject: ocfs2: do not put bh when buffer_uptodate failed
+
+From: alex chen <alex.chen@huawei.com>
+
+commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream.
+
+Do not put bh when buffer_uptodate failed in ocfs2_write_block and
+ocfs2_write_super_or_backup, because it will put bh in b_end_io.
+Otherwise it will hit a warning "VFS: brelse: Trying to free free
+buffer".
+
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
+Reviewed-by: Joseph Qi <joseph.qi@huawei.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Acked-by: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/buffer_head_io.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ocfs2/buffer_head_io.c
++++ b/fs/ocfs2/buffer_head_io.c
+@@ -90,7 +90,6 @@ int ocfs2_write_block(struct ocfs2_super
+ * information for this bh as it's not marked locally
+ * uptodate. */
+ ret = -EIO;
+- put_bh(bh);
+ mlog_errno(ret);
+ }
+
+@@ -420,7 +419,6 @@ int ocfs2_write_super_or_backup(struct o
+
+ if (!buffer_uptodate(bh)) {
+ ret = -EIO;
+- put_bh(bh);
+ mlog_errno(ret);
+ }
+
--- /dev/null
+From f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 3 Apr 2014 14:47:07 -0700
+Subject: ocfs2: fix panic on kfree(xattr->name)
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 upstream.
+
+Commit 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"')
+missed that ocfs2 is calling kfree(xattr->name). As a result, kernel
+panic occurs upon calling kfree(xattr->name) because xattr->name refers
+static constant names. This patch removes kfree(xattr->name) from
+ocfs2_mknod() and ocfs2_symlink().
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: Tariq Saeed <tariq.x.saeed@oracle.com>
+Tested-by: Tariq Saeed <tariq.x.saeed@oracle.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/namei.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -430,7 +430,6 @@ leave:
+
+ brelse(new_fe_bh);
+ brelse(parent_fe_bh);
+- kfree(si.name);
+ kfree(si.value);
+
+ ocfs2_free_dir_lookup_result(&lookup);
+@@ -1817,7 +1816,6 @@ bail:
+
+ brelse(new_fe_bh);
+ brelse(parent_fe_bh);
+- kfree(si.name);
+ kfree(si.value);
+ ocfs2_free_dir_lookup_result(&lookup);
+ if (inode_ac)
arm-8027-1-fix-do_div-bug-in-big-endian-systems.patch
arm-8030-1-arm-kdump-add-arch_crash_save_vmcoreinfo.patch
arm-mvebu-ensure-the-mdio-node-has-a-clock-reference-on-armada-370-xp.patch
-arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch
arm-7728-1-mm-use-phys_addr_t-properly-for-ioremap-functions.patch
alsa-hda-enable-beep-for-asus-1015e.patch
alsa-ice1712-fix-boundary-checks-in-pcm-pointer-ops.patch
mm-hugetlb-fix-softlockup-when-a-large-number-of-hugepages-are-freed.patch
mm-vmscan-do-not-swap-anon-pages-just-because-free-file-is-low.patch
hung_task-check-the-value-of-sysctl_hung_task_timeout_sec.patch
+ocfs2-dlm-fix-lock-migration-crash.patch
+ocfs2-dlm-fix-recovery-hung.patch
+ocfs2-do-not-put-bh-when-buffer_uptodate-failed.patch
+ocfs2-fix-panic-on-kfree-xattr-name.patch
+ext4-fibmap-ioctl-causes-bug_on-due-to-handle-ext_max_blocks.patch
+ext4-fix-jbd2-warning-under-heavy-xattr-load.patch
+ext4-use-i_size_read-in-ext4_unaligned_aio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
